Japan's Cybercrime Problem

Cyber criminals have been quick to exploit the March 11 earthquake and nuclear disaster in Japan.

By Mihoko Matsubara for The Diplomat

July 29, 2011

The March 11 disaster has brought with it yet another unwelcome side effect – an uptick in cybercrime.

Since the earthquake, tsunami and nuclear crisis, members of the public have been receiving virus-infected emails supposedly with information about the disaster, but which are actually being used to steal information. Some of the emails merely claim to be from government bodies, while others are sophisticated enough to look like they’ve been sent from government email accounts.

It’s not clear where exactly these emails are originating – some have used Chinese and South Korean access points, for example. But regardless, it’s essential that the government properly utilizes a new cybercriminal law to crack down on the problem, while promoting cooperation with the international community.

The new law is overdue. Up until the middle of July, Japan had no legislation for punishing those who create or keep computer viruses without good reason, which prevented Tokyo from actually joining the Convention of Cybercrime – the first international treaty on the issue – despite it having signed up in 2001.

The new also law covers emails containing obscene photographs, a move which is another requirement of Convention membership, and Tokyo is now making preparations for joining the international framework.

Under the new law, the maximum penalty for creating and distributing viruses is three years imprisonment or a fine of up to 500,000 yen. The maximum penalty for sending emails containing pornographic images is two years imprisonment or a fine of up to 2,500,000 yen.

Yet it’s not clear exactly how the law will be applied. For example, as it is currently written, the legislation allows the authorities to simply seize data from internet service providers. ‘This law leaves considerable discretion with the police. There’s no system of checks to prevent investigations from extending beyond the immediate charge,’ says Yamashita Yukio, chief secretary of the Japan Federation of Bar Association’s Committee on International Criminal Law Legislation.

The reality is that the number of cybercrimes has been skyrocketing in Japan. According to the National Police Agency (NPA), the number of such crimes increased from 3,161 in 2005 to 6,999 in 2010. And, since the earthquake and nuclear crisis, cybercrimes against both the private and public sectors have been proliferating. Trend Micro, for example, hasnoted that many companies have been receiving infected emails with subject headings including references to the earthquake, tsunami, nuclear reactor, energy saving, and the safety of families. Meanwhile, there have also been reports of cyber gangs targeting disaster victims by sending out infected emails supposedly about the risk of radiation exposure and information on evacuation areas.

But it’s not just members of the public who have been targeted – the NPA has reportedly received 24 malicious emails aimed at stealing classified information since May. The announcement marks the first time that the NPA has actually admitted being targeted, but it was quick to add that as none of the messages were actually opened, no sensitive information was leaked.

According to reports, all the subject headings of infected emails sent to the NPA were related to government plans, such as ‘Information Sharing: English information on the earthquake and tsunami.’ Some apparently also faked classification codes used by the Cabinet Office for its email messages.

An NPA analysis revealed that a half of the emails used access points in China, while two used South Korea. The others apparently couldn’t be traced. The police believe that most of the emails have been sent by Chinese (90 percent of malicious emails sent last year originated in China) although some may also have been sent from Japan and South Korea. Most of the senders impersonated Foreign Ministry and Coast Guard officials. One of them even used the real email address of a MOFA official.

Japanese are understandably distracted by the ongoing recovery from the March disaster. Yet although the physical impact has inevitably received most attention in the media, the impact of cyber-attacks can be devastating for the public and officials alike. If adequate countermeasures aren’t introduced, cyber criminals will continue to try to exploit disasters. At the same time, the government must address questions over the way the new law will be applied, and be willing to collaborate with international authorities to make full use of the Convention on Cybercrime.

Mihoko Matsubara is a resident SPF research fellow at Pacific Forum CSIS